Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/10/2007
09:33 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Hackers Clean Up With Ajax

New Black Hat research shows how Ajax exposes data, users

The Ajax development tool may be easy to deploy and fun for users, but all of that cool interactivity can also put users in harm's way -- and a pair of researchers has written exploits to prove it.

Bryan Sullivan, senior research engineer for SPI Dynamics, and Billy Hoffman, lead researcher for SPI Dynamics's labs, next month at Black Hat USA will demonstrate their own specially crafted SQL injection and XPath injection attacks as well as "race-condition" exploits on Ajax.

They'll unleash their exploits on a mock Website called "Hacker's Vacation Website" that they built for the Black Hat session entitled "Premature Ajax-ulations" (really).

The crux of Ajax's problem is its heavy interaction with the client machine. Anywhere from one third to one half of most Ajax apps run out on the client, which leaves these apps wide open to attackers, the researchers say. "Any code running on the client is visible to a potential attacker. They can see what you're doing and how you're doing it," Sullivan says.

Ajax server code, too, must be more visible than the traditional Web app so that the client code can access it directly, Sullivan says.

In a traditional Web environment, such as a site that lets you purchase music, the transaction application -- login, authentication, debiting the account, etc. -- would basically run on the server. But with Ajax, that process engages the client with feedback, such as "now we're debiting your account," or "now you're downloading the software," Sullivan explains.

"There's a lot of Ajax logic on the client and it can be manipulated and exploited," Sullivan says.

The relative transparency of the Ajax-based application also makes it much simpler for an attacker to peek into the app and glean its inner workings -- and vulnerabilities -- for nefarious purposes. If a typical Web app is like a microwave -- where no one really knows or sees how it works -- Ajax is more like a toaster. "It's easy to understand, and you can look in and see the hot coils and the bread turning brown," Sullivan says. "It's easy to understand how to break it, too."

The most overlooked and serious security issue in Ajax is data transformation, where data is converted into HTML, Sullivan observes. With Ajax, that transformation often occurs at the client, rather than at the server for performance reasons. But such transformation increases the risk of SQL injection or XPath injection attacks, he says.

"If the server just sends back raw query results to the client, as is often done in Ajax apps, then an attacker can easily append his own commands and get back valid results. The entire database can be retrieved in one or two requests instead of [in] thousands."

And retrofitting an older Web app to Ajax is even less secure than developing it from scratch, the researchers say. "When someone 'Ajaxifies' a traditional Web app for whatever reason -- a good business reason or because it's trendy -- they have now taken an application that was secure and broken it, so it’s not secure anymore," Sullivan says. He says he recently has seen an "Ajaxified" app that updates passwords. "So anyone could access this directory and change anything they want."

So what should enterprises do to secure their Ajax-based apps?

"We're not going to say don't use Ajax. We think it's great," Sullivan says. "But watch your granularity of functions" in your apps. That may mean making a sensitive part of a transaction, for instance, one larger function rather than embedding a lot of back-and-forth correspondence between the client and server, he says. "So before a user could download a song, he or she would need to log in again."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Black Hat Inc.
  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-27706
    PUBLISHED: 2021-04-14
    Buffer Overflow in Tenda G1 and G3 routers with firmware version V15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"IPMacBindIndex "request. This occurs because the "formIPMacBindDel" function directly passes the parameter "IPMacBind...
    CVE-2021-27707
    PUBLISHED: 2021-04-14
    Buffer Overflow in Tenda G1 and G3 routers with firmware v15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"portMappingIndex "request. This occurs because the "formDelPortMapping" function directly passes the parameter "portMappingIn...
    CVE-2021-28098
    PUBLISHED: 2021-04-14
    An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for...
    CVE-2021-30493
    PUBLISHED: 2021-04-14
    Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wor...
    CVE-2021-30494
    PUBLISHED: 2021-04-14
    Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wo...